A document marked "strictly confidential" has been sent to the Serbian Security and Information Agency (BIA). It contains an offer to renew the license of a forensic tool from Israeli company Cellebrite, which is used to unlock and analyze smartphones.
Radio Free Europe/Radio Liberty's (RFE/RL) Balkan Service has had access to this document, which dates back to September 2015.
This is just one of several published documents related to Serbian security service purchases that REL has found on the so-called "dark net" - a part of the internet that requires special browsers to access and is often used for anonymous communication and data exchange.
Although it has been reported that the BIA has been using mobile communications interception tools in recent years, REL's research shows that this service likely has advanced forensic tools for almost all types of devices – and has been doing so for more than a decade.
The authenticity of the 2015 document has been confirmed by a source whose identity is known to REL, but who has insisted on remaining anonymous.
REL journalists have also conducted a background check through public databases – checking companies, individuals, and specific elements that appear on documents, such as signatures and seals.
What is contentious?
Analysis of documents published on the "dark net" shows that the BIA, at least twice - in 2015 and 2019 - has secretly invited companies to submit bids for the renewal of licenses for various forensic tools.
Among them is the powerful device for extracting data from mobile phones, UFED (Universal Forensic Extraction Device), manufactured by the Israeli company Cellebrite.
The report by the international organization Amnesty International, published in December 2024, shows that during that year in Serbia, the UFED device was used to forcibly unlock phones on at least seven occasions.
According to the report, there is detailed forensic evidence pointing to the illegal use of this tool during police interviews in Serbia and at the Security and Intelligence Agency (BIA).
It is said that the phones of journalists and activists were unlocked through software from the Israeli company Cellebrite, downloading their entire contents.
In some cases, according to the report, previously unknown spyware called NoviSpy was also installed on their phones, through which subsequent activities on the device – including photos, messages and internet searches – were monitored.
Although Cellebrite's products are used by police services around the world, the Israeli company announced, two months after the publication of the Amnesty International report, that it had withdrawn several licenses in Serbia - without specifying which institutions were affected.
The BIA's reaction to the report of Cellebrite's misuse of the device was brief: "banal sensationalism."
BIA has not responded to Radio Free Europe's request to explain how and why it purchased disputed software ten years ago.
Israeli company Cellebrite also did not answer a number of questions – including when the BIA started using their licenses, how it purchases them, and how the company verifies its customers to avoid potential misuse.
In a written response dated July 24, Cellebrite only emphasized that its technology assists in about 1.5 million cases a year, including – it says – some of the most important investigations of our time: from protecting children from trafficking and abuse, to arresting murderers, arsonists, terrorists and others who pose a danger to society.
What do the published documents show?
The documents, which contain offers for the purchase of several types of forensic software, were sent at the request of the BIA by the state-owned information technology company, Informatika AD, from Belgrade.
These documents were published on the "dark net" after a cyberattack on this company.
AD Informatika, in response to Radio Free Europe on July 24, questioned the authenticity of the documents, but confirmed that it had been the target of a hacker attack.
"Informatika AD has been the target of a criminal group that has attempted to blackmail the company, demanding a ransom for the stolen data. The case has been reported to the Prosecution for Organized Crime," the response states.
In response to numerous questions regarding offers for software licenses for the needs of the BIA and the method of verifying the clients with whom they cooperate, the company Informatika AD from Belgrade has stated that its activity is "protected by a number of confidentiality provisions, including internal rules, those of clients, as well as general provisions on official secrets and data protection."
The company also claims that it "has never had any business activity with the Israeli company Cellebrite."
However, AD Informatika has not provided an explanation for the fact that, if there is no business relationship with this company, how is it possible that in 2015 it sent the BIA an offer for the license of the Cellebrite company's UFED software tool.
What did BIA buy?
Published documents show that the first offer, which also included the renewal of licenses for Cellebrite's UFED device, was prepared by AD Informatika on September 22, 2015.
The total value of the contract was around 6.6 million dinars (approximately 55 thousand euros) and included licenses for several forensic tools, as well as licenses for various software solutions for the needs of the BIA.
The product list included two licenses for Cellebrite's UFED tool.
According to one of the published documents, in addition to equipment from the Israeli company Cellebrite, the Serbian Intelligence and Security Agency (BIA) has also purchased licenses from the Swedish company Micro Systemation for the XRY/XACT tool.
This tool is used to extract data from mobile devices, including messages, contacts, applications, and to create a complete copy of the device's memory (memory dump), including deleted, hidden, or protected data.
XRY/XACT has similar functions to Cellebrite's UFED tool.
Radio Free Europe journalists have not found in the published documents any contract signed between BIA and Informatika AD, which would prove that this company was officially awarded the supply contract.
According to the documents, BIA purchases software licenses through direct negotiations with several commercial companies, among which Informatika AD is only one of the bidders.
Neither BIA nor AD Informatika have provided answers to REL's questions about who was specifically involved in this process.
Six Cellebrite licenses were requested in 2019
From the bid documents of the company Informatika AD it appears that the Security and Information Agency (BIA) continued to use the Cellebrite tool in subsequent years.
In an invitation to submit bids, which BIA had sent to Informatika AD in early July 2019, it states:
"The bid opening and negotiation process will be held on July 15, 2019, at 12:00, at the address of the client - Queen Ana PN".
The purchase relates to a set of forensic tools for extracting data from phones and was divided into two parts: the first part included several forensic licenses, the second part included six licenses for UFED devices from the Israeli company Cellebrite.
The annual license renewal also included the XRY/XACT tool from Swedish company Micro Systemation, as well as AccessData's FTK (Forensic Toolkit) software. Also included in the list were Forensic Explorer, Magnet Axiom and X-Ways Forensics, which are used to analyze computers and hard drives.
Even for this procurement, Radio Free Europe journalists have not found any signed contract, while five other companies from Serbia also participated in the purchasing process.
What can the tools that BIA buys do?
“All these tools cover almost all digital forensics operations – for mobile phones and tablets, desktop and laptop computers, as well as for storage devices such as hard drives and USB sticks,” explains Fillip Milosevic from the Share Foundation, which monitors the impact of new technologies and the state of digital rights.
According to Milosevic, certain tools like Forensic Explorer can recover previously deleted data and extract web search history, as well as email correspondence.
He points out that tools like Magnet Axiom and AccessData Tools are capable of processing large amounts of data from various sources.
"They can create timelines, make connections between phone data and, for example, Google accounts, reconstruct the activities of suspects and visualize them in different ways," adds Milosevic.
"Strictly confidential" purchase
In the procurement documents, these purchases are classified as "strictly confidential".
The BIA Law gives this institution the authority to decide on its own how to conduct procurements that are important for operational work and national security – including the right to classify them as secret.
For this reason, the public in Serbia has not had access to information about what BIA purchases and in what way for years.
"We inform you that the procurement is not carried out according to the procedure provided for by the Law on Public Procurement, but according to the by-laws of the Government of the Republic of Serbia and the Agency for Security and Information", states the text of the offer of Informatika AD, dated September 22, 2015, signed by a representative of the company.
The same employee, whose name is known to the REL editorial team, has also signed a separate form committing not to disclose the identity of the end user – i.e. BIA – to any other party in the supply chain, and that he will seek prior approval from BIA for any information that may be requested about the end user.
"A dangerous global trend"
Radio Free Europe's research confirms once again that "powerful surveillance tools are being purchased and used in a completely secretive, non-transparent and non-accountable manner - a global trend that is not only unacceptable, but also dangerous and harmful," says Alosha Ajanovic Andellic from the organization EDRi (European Digital Rights).
EDRi is a European network of organizations that protect citizens' digital rights, such as privacy, freedom of expression and access to information. According to Ajanović Andelić, the new data makes the situation even more worrying.
"Cellebrite is part of an ecosystem of spyware and should be treated as such. When used against activists, journalists, political opponents or migrants, it becomes a tool of political repression," he says.
Ajanović Andelić emphasizes that such use is not only controversial, but constitutes a clear violation of fundamental human rights – and as such should be prohibited./ REL (A2 Televizion)
A2 CNN Livestream
MUND TE LEXONI GJITHASHTU
